incident
Bissa Scanner AI-Assisted Mass Exploitation and Credential Harvesting Operation ExposedBissa Scanner
An exposed server revealed a large-scale, AI-assisted exploitation operation named Bissa Scanner, which leveraged CVE-2025-55182 (React2Shell) to compromise over 900 victims and harvest credentials from tens of thousands of .env files. The operator used Claude Code and OpenClaw for workflow orchestration, targeting financial, cryptocurrency, and retail sectors for deeper post-compromise collection. The operation demonstrates a mature, modular pipeline for scanning, exploitation, credential validation, and alerting via Telegram bots.